EyeMed Vision Care LLC’s $4.5 million settlement last week over a cybersecurity investigation in New York is the latest signal that regulators are putting pressure on financial services firms.
The New York State Department of Financial Services said last week that its investigation found the insurance company violated state rules by not implementing multi-factor authentication for its payment system. mailbox and allowing nine employees to share login credentials to the affected mailbox.
“Had these controls been in place, the July 1, 2020 cybersecurity event may have been prevented or had a limited scope,” the NYDFS said.
The penalty is the second the vision insurance company has imposed in New York state this year following the incident, in which a hacker hacked into its email system and accessed data from more than 2 million customers, including children.
EyeMed did not respond to requests for comment. The company is committed to “changing its policies, procedures, systems and governance structures,” NYDFS said.
State and federal agencies have stepped up cybersecurity enforcement in recent years as hacks disabling critical infrastructure or exposing consumers’ personal information have increased.
Cincinnati-based EyeMed had already paid $600,000 to settle a separate investigation of New York Attorney General Letitia James, whose investigation found the phishing attack gave the attacker access to data such as names, social security numbers, and medical diagnoses and conditions.
Last week’s consent order, one of three multimillion-dollar cybersecurity agreements NYDFS has entered into in recent months, comes as the agency prepares to offer regulatory updates that some experts in cybersecurity await in a few weeks. Current rules require financial services firms to strengthen their cyber posture, conduct periodic risk assessments and submit annual compliance certifications to the agency.
The NYDFS pre-proposal changes released in July appear more prescriptive, suggesting companies install additional security measures such as password vaults to protect privileged login credentials, Erez Liebermann said. partner of the law firm Debevoise & Plimpton LLP.
The possible updates, coupled with pending federal regulations from the Securities and Exchange Commission, could push senior executives to take a more active role in security management, he said.
“It increases and increases cybersecurity accountability to the C-suite and the board,” Liebermann said.
Violating NYDFS cyber rules has cost some companies dearly.
In August, the cryptocurrency trading unit of online brokerage Robinhood Markets Inc.
paid $30 million to settle an investigation into alleged breaches such as an understaffed cyber team and ineffectively detailed security procedures. Robinhood said at the time that it had made “significant progress” in improving those metrics.
Carnival cruise operator Corp.
and its subsidiaries agreed in June to pay NYDFS $5 million after the regulator uncovered multiple security flaws linked to four cyber incidents between 2019 and 2021, including two ransomware attacks. The company, which falls under the jurisdiction of NYDFS because it is licensed to sell insurance, declined to comment.
At EyeMed, company officials failed to conduct a risk assessment as required by New York State, invalidating the company’s cybersecurity certifications with NYDFS from 2018 through 2021, the official said. regulator. Under a consent order, the company must complete a risk assessment within 180 days and, within 60 days, submit a plan on how it will improve its security measures.
Write to David Uberti at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8